Feature: Enhanced Extension System with Tool Interception & Lifecycle Events (inspired by Pi)

[teknium1]

Overview

Inspired by the Pi coding agent (GitHub), this proposes significantly enhancing Hermes Agent's hook/extension system to support tool interception, context modification, event cancellation, and richer lifecycle events. Pi's extension system is its deepest architectural strength -- it provides 30+ lifecycle events with the ability to block tool calls, modify tool results, transform context before it reaches the LLM, and even replace UI components.

Hermes already has a hook system (gateway/hooks.py) with 7 event types, but it's fire-and-forget with no return values or cancellation. This proposal would evolve it into a full extension API that enables powerful plugins: approval gates, audit logging, custom sandboxing, context injection, tool result transformation, and more.

This builds on the existing hook infrastructure rather than replacing it, and complements the existing tool registry and skills systems.

---

Research Findings

How Pi's Extension System Works

Pi extensions are TypeScript modules that receive an ExtensionAPI object with deep hooks into the agent lifecycle:

Event System (30+ events):

Category	Events	Can Cancel/Modify?
Session lifecycle	session_start, session_before_switch, session_switch, session_before_compact, session_compact, session_shutdown	Yes (before_ events)
Agent lifecycle	before_agent_start, agent_start, agent_end, turn_start, turn_end	Yes (before_ events)
Message streaming	message_start, message_update, message_end	No (observe only)
Tool interception	tool_call (can BLOCK), tool_result (can MODIFY)	Yes -- this is key
Input processing	input (can transform or handle user input)	Yes
Context	context (can modify messages before LLM)	Yes -- modify context
Model events	model_select	Yes
Bash execution	user_bash (can replace execution)	Yes

Tool Interception Pattern:

// Extension can intercept any tool call
pi.on('tool_call', async (event) => {
  // Block dangerous commands
  if (event.tool === 'bash' && event.args.command.includes('rm -rf')) {
    event.block('Dangerous command blocked by safety extension');
    return;
  }
  // Or modify arguments before execution
  event.args.command = wrapInSandbox(event.args.command);
});

// Modify tool results before they reach the LLM
pi.on('tool_result', async (event) => {
  event.result = sanitize(event.result);
});

Context Modification Pattern:

// Inject or modify messages right before they go to the LLM
pi.on('context', async (event) => {
  // Add dynamic context based on current state
  event.messages.push({
    role: 'user',
    content: `Current git branch: ${await getGitBranch()}`
  });
});

Registration APIs:

• pi.registerTool() -- add LLM-callable tools dynamically
• pi.registerCommand() -- add slash commands
• pi.registerShortcut() -- add keyboard shortcuts
• pi.registerProvider() -- add model providers with OAuth support
• pi.setActiveTools() / pi.getActiveTools() -- dynamic tool management
• pi.events -- shared EventBus for inter-extension communication

Extension Discovery:

• Project-local: .pi/extensions/
• Global: ~/.pi/agent/extensions/
• Package manager: pi install npm:@foo/pi-tools

Key Design Decisions

1. Before/after event pattern -- before_X events can cancel the operation; X events fire after completion (observe only). Clean separation of concerns.
2. Tool interception as first-class -- Any tool call can be blocked or modified by extensions. This enables approval gates, sandboxing, logging without modifying tool code.
3. Context as an event -- The message array going to the LLM is exposed as a modifiable event, enabling dynamic context injection from any extension.
4. Extension isolation -- Extensions share an EventBus but can't directly access each other. Communication is event-driven.

---

Current State in Hermes Agent

Existing Hook System (gateway/hooks.py)

Hermes has a lightweight hook system:

• Discovery: File-based, ~/.hermes/hooks/<hook-name>/ with HOOK.yaml + handler.py
• 7 event types: gateway:startup, session:start, session:reset, agent:start, agent:step, agent:end, command:*
• Dispatch: emit(event_type, context) fires all matching handlers
• Sync + async handler support
• Wildcard matching (command:* matches any command:X)
• Fire-and-forget -- errors caught and logged, never block pipeline
• No return values, no cancellation, no modification

Other Extension Points

• Tool Registry (tools/registry.py): Self-registering tools at import time. ToolEntry with schema, handler, check_fn. Toolset-based grouping.
• Skills System: On-demand knowledge docs, agentskills.io compatible, Skills Hub for install
• Context Files: SOUL.md, AGENTS.md, .cursorrules loaded into system prompt
• Callbacks: tool_progress_callback, clarify_callback, step_callback in AIAgent
• Memory System: Persistent MEMORY.md + USER.md

The Gap

The hook system is observe-only. There's no way for extensions to:

• Block or approve tool calls before execution
• Modify tool results before they reach the LLM
• Inject dynamic context into the message array
• Register new tools at runtime
• Add custom slash commands from extensions
• Communicate between extensions via events

---

Implementation Plan

Skill vs. Tool Classification

This is a core codebase change -- it enhances the fundamental extension architecture of the agent. It touches gateway/hooks.py, run_agent.py (the agent loop), tools/registry.py (tool dispatch), and gateway/run.py (command handling). Cannot be expressed as a skill or tool.

What We'd Need

• Enhanced event system with return values, cancellation, and priority ordering
• Tool call/result interception points in the agent loop
• Context modification hook before LLM API calls
• Extension manifest format (beyond HOOK.yaml)
• Dynamic tool and command registration APIs
• Inter-extension event bus

Phased Rollout

Phase 1: Enhanced Event System

• Upgrade HookRegistry to support return values from handlers
• Add before_ event pattern: before_tool_call, before_agent_start, before_compress
• before_ handlers can return {"cancel": True, "reason": "..."} to block the operation
• Add priority ordering to handlers (lower number = earlier execution)
• Add tool_call and tool_result events with modification capability
• Maintain backward compatibility -- existing hooks work unchanged

Phase 2: Context & Tool Hooks

• Add context event fired in run_agent.py before building API messages
  • Handlers receive the message array and can modify it (add/remove/edit messages)
  • Enables dynamic context injection (git state, environment info, custom data)
• Add input event for user message preprocessing
• Add runtime tool registration: register_tool(name, schema, handler) via extension API
• Add runtime command registration: register_command(name, handler) via extension API

Phase 3: Extension Ecosystem

• Extension manifest format (EXTENSION.yaml with metadata, dependencies, events)
• Extension package manager (hermes extensions install <source>)
• Inter-extension event bus for extension-to-extension communication
• Extension UI hooks for CLI mode (status bar, custom widgets)
• Built-in extensions: audit logger, safety gate, git checkpoint

---

Pros & Cons

Pros

• Powerful plugin ecosystem -- Enables approval gates, sandboxing, audit logging, custom providers without modifying core code
• Safety without rigidity -- Tool interception allows per-project or per-user security policies via extensions rather than baked-in permission popups
• Dynamic context -- Extensions can inject real-time project state (git branch, test results, linter output) into LLM context
• Backward compatible -- Existing hooks continue working; new capabilities are opt-in
• Community extensibility -- Users can share extensions for specific workflows, tools, or integrations

Cons / Risks

• Complexity cost -- More extension points = more surface area for bugs, harder to reason about behavior
• Performance -- Synchronous hook chains before tool calls add latency; need careful async design
• Security -- Extensions with tool interception have significant power; need trust model
• Ordering issues -- Multiple extensions modifying the same event can create conflicts; priority system helps but doesn't eliminate
• Maintenance burden -- Extension API becomes a contract that's hard to change once published

---

Open Questions

• Should extension-registered tools be visible alongside built-in tools, or namespaced (e.g., ext:tool_name)?
• Should there be an extension permissions model (which events an extension can subscribe to)?
• How should extension conflicts be handled (two extensions modifying the same tool result)?
• Should extensions be able to modify the system prompt, or only the message array?
• What's the right trust boundary -- should extensions run in a sandbox or have full access?

---

References

• Pi coding agent -- GitHub repo
• Pi extension API -- extensions.ts, wrapper.ts (tool interception)
• Pi extension examples -- 50+ examples including permission gates, SSH, plan mode, sub-agents
• HN discussion on Pi extensibility
• Existing Hermes hooks: gateway/hooks.py, events used in gateway/run.py
• Related issue: Multi-agent support #299 (Multi-agent support) -- extension system would enable this pattern
• Related issue: Feature: Multi-Agent Architecture — Orchestration, Cooperation, Specialized Roles & Resilient Workflows #344 (Workflow Formulas) -- extensions could implement workflow orchestration
• Pi is MIT licensed -- patterns can be freely adapted

[teknium1]

Community Interest: Concrete Use Cases for Intercept-Capable Hooks

Mike Bird raised specific use cases for blocking/intercept hooks (discussion context):

1. Block dangerous tool calls before they execute
2. Modify tool arguments before execution
3. Force the agent to keep working (override stop decisions)
4. Inject context at session start or prompt submission
5. Auto-approve safe operations (extend approval.py via hooks)
6. Use an LLM to evaluate whether an action should proceed

These map cleanly to this issue's proposed phases but add nuance worth capturing, particularly #3 (loop control) and #6 (LLM-as-judge). Below is cross-framework research and a concrete API sketch.

---

Cross-Framework Research: How Others Do It

Researched 6 major frameworks. Every single one supports tool call interception — this is table-stakes for mature agent frameworks.

Pattern Summary

Framework	Block	Modify Args	Modify Results	API Pattern
LangChain (v1.2.10+)	✅	✅	✅	Middleware chain with wrap_tool_call(request, handler)
CrewAI	✅	✅ (in-place)	✅	@before_tool_call / @after_tool_call decorators
OpenAI Agents SDK	✅	❌	✅	@tool_input_guardrail / tripwire pattern
AutoGen (Python)	✅	✅	❌	InterventionHandler.on_send() at message level
AutoGen (.NET)	✅	✅	✅	ASP.NET-style next() delegate middleware
Semantic Kernel	✅	✅	✅	IAutoFunctionInvocationFilter with next()

Three Dominant Patterns

1. Handler-Callback / next() Pattern (LangChain, Semantic Kernel, AutoGen .NET)

async def my_middleware(request, next):
    # Pre-processing: inspect/modify request
    if request.tool_name == "rm_rf":
        return ToolResult(error="Blocked!")  # short-circuit
    request.args["safe_mode"] = True  # modify args
    result = await next(request)  # call actual tool
    result.content = redact(result.content)  # modify result
    return result

Most flexible. Composable. But ordering matters (LIFO vs FIFO varies).

2. Before/After Hook Pattern (CrewAI)

@before_tool_call
def my_hook(ctx) -> bool | None:
    return False  # blocks execution

@after_tool_call
def my_hook(ctx) -> str | None:
    return "redacted"  # replaces result

Simpler API. Return values control behavior. Less composable but easier to understand.

3. Guardrail/Tripwire Pattern (OpenAI Agents SDK)

@tool_input_guardrail
def block_secrets(data):
    if "sk-" in data.context.tool_arguments:
        return ToolGuardrailFunctionOutput.reject_content("Remove secrets.")
    return ToolGuardrailFunctionOutput.allow()

Most limited — no argument modification, only on custom function_tools.

Recommendation for Hermes

The before/after hook pattern (CrewAI-style) fits Hermes best because:

• Matches our existing HOOK.yaml + handler.py discovery model
• Simpler than middleware chains (no next() confusion)
• Return-value semantics are intuitive (return False to block, return string to replace)
• Backward compatible — existing observe-only hooks just don't return values

---

Concrete API Proposal: Mapping Mike Bird's Use Cases

New Events (extending current 7)

Event	When	Can Block/Modify?	Mike Bird Use Case
before:tool_call	Before any tool executes	Block (return False) or modify args (mutate context["args"])	#1, #2, #5, #6
after:tool_call	After tool returns result	Modify result (return string)	—
before:agent_end	Agent about to stop (no tool calls)	Force continue (return {"continue": True})	#3
before:prompt	Before messages go to LLM	Inject/modify messages (mutate context["messages"])	#4
session:prompt	User submits a new message	Inject context (mutate context["message"])	#4

Handler API (backward compatible)

# HOOK.yaml
name: safety-gate
description: LLM-evaluated tool approval
events:
  - before:tool_call
  - before:agent_end

# handler.py
import json
from openai import OpenAI

client = OpenAI()

async def handle(event_type: str, context: dict):
    """Return value semantics:
    - None/no return: allow (backward compatible with existing hooks)
    - False: block the action
    - str: replace the result
    - dict with "continue": True: force agent to keep working
    - dict with "args": {}: replace tool arguments
    """
    if event_type == "before:tool_call":
        tool_name = context["tool_name"]
        args = context["args"]
        
        # Use case #5: Auto-approve safe operations
        if tool_name in ("read_file", "search_files", "web_search"):
            return True  # explicitly approve, skip normal approval flow
        
        # Use case #6: LLM-as-judge
        if tool_name == "terminal":
            judgment = client.chat.completions.create(
                model="gpt-4o-mini",
                messages=[{
                    "role": "user",
                    "content": f"Is this command safe? {args.get(command, )} Reply YES or NO."
                }]
            )
            if "NO" in judgment.choices[0].message.content:
                return False  # Block
        
        # Use case #2: Modify arguments
        if tool_name == "terminal" and "--no-sandbox" in args.get("command", ""):
            args["command"] = args["command"].replace("--no-sandbox", "")
            return {"args": args}
    
    elif event_type == "before:agent_end":
        # Use case #3: Force the agent to keep working
        response = context.get("response", "")
        if "TODO" in response or len(response) < 20:
            return {"continue": True, "inject": "You haven't finished. Keep working."}

Implementation Points in run_agent.py

The interception points map to specific locations in the codebase:

1. before:tool_call — In _execute_tool_calls() (line 2411), between argument parsing (line 2440) and the actual dispatch (line 2570/2581). Insert:

   hook_result = await self.hooks.emit_blocking("before:tool_call", {
       "tool_name": function_name, "args": function_args,
       "tool_call_id": tool_call.id,
   })
   if hook_result is False:
       function_result = "Tool call blocked by hook"
       # skip execution, continue to next tool
   elif isinstance(hook_result, dict) and "args" in hook_result:
       function_args = hook_result["args"]

2. after:tool_call — After line 2587 (result_preview), before appending to messages.

3. before:agent_end — At line 3675 (the else branch for "no tool calls = final response"), before the break at line 3790.

4. before:prompt — In run() before the API call at line ~3540, after messages are assembled.

5. session:prompt — In gateway/run.py around line 893 (already has agent:start emit).

Key Design Decision: emit() vs emit_blocking()

Current emit() returns None and catches all errors. For intercept hooks, we need a new emit_blocking() that:

• Returns the first non-None return value from handlers
• Runs handlers in priority order (from HOOK.yaml: priority: 10)
• Still catches errors per-handler but propagates return values
• Has a timeout (default 30s) to prevent hooks from hanging the pipeline

async def emit_blocking(self, event_type, context=None, timeout=30.0):
    """Fire handlers and return first non-None result."""
    handlers = self._get_handlers(event_type)
    for fn in sorted(handlers, key=lambda h: getattr(h, "_priority", 50)):
        try:
            result = fn(event_type, context)
            if asyncio.iscoroutine(result):
                result = await asyncio.wait_for(result, timeout=timeout)
            if result is not None:
                return result
        except asyncio.TimeoutError:
            print(f"[hooks] Timeout in blocking handler for {event_type}")
        except Exception as e:
            print(f"[hooks] Error in blocking handler for {event_type}: {e}")
    return None

Integration with Existing approval.py

Mike Bird's use case #5 (auto-approve safe operations) would integrate with the existing dangerous command system. The before:tool_call hook fires BEFORE check_dangerous_command() in the terminal tool, giving hooks first say. If a hook returns True (explicitly approve), the approval system is bypassed for that call.

---

Priority Assessment

This is the single most impactful architectural improvement for Hermes's extensibility. Every major agent framework has this. The before/after pattern can be added incrementally:

1. Week 1: Add emit_blocking() to HookRegistry + before:tool_call event in _execute_tool_calls() → unlocks use cases Terminal tool #1, Support passing morph snapshot id #2, Update snapshot #5, Fix VM instance sharing across tasks #6
2. Week 2: Add before:agent_end → unlocks use case Architecture planning #3
3. Week 3: Add before:prompt + session:prompt → unlocks use case Fix terminal interactivity #4
4. Week 4: Add after:tool_call + priority ordering + timeout guards

Existing hooks remain fully backward compatible throughout.

[matthiasdebernardini]

I use pre/post tool hook in claude code to store all my usage (in duckdb) and which folders I do work in, then burst analysis on that tool use, to keep track of how much time I am spending on what I am working on. So this feature would enable me to do that.

+1

[prometixX]

Is there any update? We also really need this feature, especially being able to hook into tool calls and approve/deny them in an external system async.

[Ti0aceite]

Big +1 on the overall direction. I just filed two narrow companion issues that should slot naturally into this vision as incremental deliverables:

• #9388 — pre_tool_call hook REJECT semantics (~10-line patch to model_tools.py, unlocks the tool_call block pattern you describe above)
• #9389 — declarative tools.*.allowed_paths config-time scoping (the common-case path policy, complements the hook-based approach for the 80%)

Context: I run a multi-tenant Hermes deployment where I need one profile's LLM (Telegram-facing, exposed to potentially adversarial input) to be structurally incapable of reading a sibling profile's credentials via the terminal tool. Full 3-layer isolation design write-up here: forge/specs/spec-005-profile-isolation-3-layers.md.

Both issues are explicitly framed as forward-compatible stepping stones toward the richer event API in this proposal — #9388 is essentially the minimal viable tool_call block, and #9389 is a declarative sugar layer on top that keeps common policies out of extension code. Happy to PR either once a maintainer signals the direction.

[iRonin]

Following up with a concrete, shippable first step that covers the "replace a built-in tool with your own implementation" use case:

#11049 — Custom tool overrides via ~/.hermes/custom_tools/

This adds a drop-in directory where users place *.py files that override built-in tools (e.g. replace browser_tool.py with a headed Chrome CDP implementation). It's ~160 lines, fully backwards compatible, and works alongside the existing skills/contexts system. The PR is ready on ironin/tool-override-plugin.

How this relates to the #359 vision:

• This PR handles the "use a different implementation" case — wholesale replacement of a tool at import time.
• Feature: Enhanced Extension System with Tool Interception & Lifecycle Events (inspired by Pi) #359's before:tool_call / after:tool_call hooks would handle the "intercept / modify / block calls to any implementation" case — runtime event interception.
• They are complementary, not competing. You could replace the browser tool with a custom CDP backend via this PR, then use Feature: Enhanced Extension System with Tool Interception & Lifecycle Events (inspired by Pi) #359's hooks to audit, approve, or transform calls to that custom tool.

I see #9388 (pre_tool_call blocking) already landed in main per @LarHope's comment above — so the hook-based interception piece is partially delivered. This PR fills the other half: making it possible to actually ship a custom tool implementation without forking or patching core files.

Happy to adjust the PR if maintainers see overlap or want to fold it into a larger extensibility effort.

[teknium1]

Status: substantially delivered — closing

Most of this proposal has shipped through the plugin hook system over the last several months. The remaining gaps are tracked in narrower follow-ups.

What's on main today

Hook events (hermes_cli/plugins.VALID_HOOKS, 16 events):

Category	Events	Capability
Tool interception	pre_tool_call, post_tool_call, transform_tool_result, transform_terminal_output	Block (return {"action":"block","message":...}), modify args, modify results
LLM lifecycle	pre_llm_call, post_llm_call, pre_api_request, post_api_request, transform_llm_output	Observe API calls, rewrite final response text
Session lifecycle	on_session_start, on_session_end, on_session_finalize, on_session_reset, subagent_stop
Gateway	pre_gateway_dispatch (skip/rewrite incoming)
Approval	pre_approval_request, post_approval_response	Observe approvals across CLI + gateway + ACP

Runtime registration APIs via PluginContext:

• register_tool, register_skill, register_cli_command, register_slash_command
• register_web_search_provider, register_memory_provider, register_context_engine
• register_platform (gateway adapters)
• set_thread_tool_whitelist — per-thread tool gating, composes with pre_tool_call
• inject_message — push messages into the active conversation

Shell-script hook bridge (agent/shell_hooks.py): Claude-Code-style hooks via a hooks: block in cli-config.yaml. JSON-on-stdin, JSON-on-stdout, first-use consent gate, no Python required. Composes with Python plugins through the same invoke_hook() dispatch.

Mike Bird's six use cases:

1. Block dangerous tool calls → pre_tool_call returning block ✅
2. Modify tool arguments → mutate kwargs in pre_tool_call ✅
3. Force agent to keep working → ❌ not yet
4. Inject context at session/prompt start → on_session_start / pre_llm_call ✅ (observe; mutation contract on messages is not formalized — see below)
5. Auto-approve safe operations → pre_approval_request + pre_tool_call ✅
6. LLM-as-judge before action → pre_tool_call can call any LLM ✅

Companion issues

• feat: pre_tool_call hook should support REJECT semantics (10-line patch) #9388 — pre_tool_call REJECT semantics — closed, shipped
• feat: declarative tools.*.allowed_paths config-time scoping for filesystem tools #9389 — declarative tools.*.allowed_paths — open, no PR yet
• Feature: Custom tool overrides via ~/.hermes/custom_tools/ #11049 — custom tool overrides via ~/.hermes/custom_tools/ — open, no PR yet

Remaining gaps (worth their own narrow issues if anyone wants to drive them)

1. Formal message-mutation contract on pre_llm_call — kwargs include messages but plugins can't currently rewrite the array. (Mike Bird's Fix terminal interactivity #4 and the original "context event" ask.)
2. Handler priority ordering — handlers run in registration order; no priority: N field.
3. before_agent_end to override the "no tool calls = final response" exit (Mike Bird's Architecture planning #3).
4. Inter-extension event bus — plugins talk through invoke_hook today; no shared pub-sub channel.
5. Extension manifest beyond plugin.yaml / HOOK.yaml — no hermes extensions install <source> package-manager flow.
6. UI hooks for CLI widgets / status bar — TUI is React/Ink and doesn't expose plugin slots.

Anyone wanting to drive one of these — file a focused issue with a use case and we'll scope it.

Closing this umbrella since the core extension surface is in place. Thanks to everyone who contributed.